Download Full Issue in PDF - Academy Publisher
25.01.2015 Views
Share Embed Flag

Download Full Issue in PDF - Academy Publisher

Download Full Issue in PDF - Academy Publisher

Download Full Issue in PDF - Academy Publisher

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
academypublisher.com

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

JOURNAL OF COMPUTERS, VOL. 8, NO. 6, JUNE 2013 1621<br />

(g, g 1 , g 2 , h). Let mk be the master-secret key<br />

and let params be the public parameters.<br />

KeyGen IBE (mk, params, ID). Given<br />

mk = g2 α and ID with params, the<br />

PKG picks random s 0 , s 1 ∈ Zp, ∗ choose<br />

a hash function ˜H : Zp ∗ × {0, 1} ∗ → Zp<br />

∗<br />

and computes u 0 = ˜H(s0 , ID),<br />

u 1 = ˜H(s 1 , ID). Set sk ID = (d 0 , d 1 , d ′ 0) =<br />

(g2 α (g1 ID h) u0 , g u0 , (g2 α (g1 ID h) u1 )). The PKG<br />

preserves (s 0 , s 1 ).<br />

Enc IBE (ID, params, M). To encrypt a message<br />

M ∈ G 1 under the public key ID ∈ Zp,<br />

∗<br />

pick a random r ∈ Zp ∗ and compute C ID =<br />

(g r , (g1 ID h) r , Me(g 1 , g 2 ) r ).<br />

Dec IBE (sk ID , params, C ID ). Given ciphertext<br />

C ID = (C 1 , C 2 , C 3 ) and the secret key<br />

sk ID = (d 0 , d 1 ) with prams, compute M =<br />

C 3e(d 1,C 2)<br />

e(d .<br />

0,C 1)<br />

delegation scheme:<br />

KeyGen PRO (sk R , params, ID, ID ′ ). The<br />

PKG computes u ′ 1 = ˜H(s 1 , ID ′ ) and randomly<br />

selects k 1 , k 2 , k 3 ∈ Zp ∗ and sets<br />

rk ID→ID ′ = (rk 1 , rk 2 , rk 3 , rk 4 ) =<br />

( αID′ +t 2+k 1<br />

k 3(αID+t 2)<br />

+ k 2 , g u′ 1 k3 , g u′ 1 k2k3 , g u′ 1 k1 ) and<br />

sends them to the proxy via secure channel.<br />

We must note that the PKG computes a different<br />

(k 1 , k 2 , k 3 ) for every different user pair<br />

(ID, ID ′ ).<br />

Check(params, C ID , ID). Given the delegator’s<br />

identity ID and C ID = (C 1 , C 2 , C 3 )<br />

with params, compute v 0 = e(C 1 , g1 ID h) and<br />

v 1 = e(C 2 , g). If v 0 = v 1 then output 1.<br />

Otherwise output 0.<br />

ReEnc(rk ID→ID ′, params, C ID , ID ′ ).<br />

Given the identities ID, ID ′ , rk ID→ID ′ =<br />

(rk 1 , rk 2 , rk 3 , rk 4 ) = ( αID′ +t 2+k 1<br />

k 3(αID+t 2)<br />

+<br />

k 2 , g u′ 1 k3 , g u′ 1 k2k3 , g u′ 1 k1 ) with params, the<br />

proxy re-encrypt the ciphertext C ID <strong>in</strong>to<br />

C ID ′ as follows. First it runs “Check”, if<br />

output 0, then return “Reject”. Else computes<br />

C 2ID ′ = (C 1, ′ C 2, ′ C 3, ′ C 4, ′ C 5, ′ C 6, ′ C 7) ′ =<br />

αID ′ +t 2 +k 1<br />

k<br />

(C 1 , C 2 , C 3 , C<br />

(αID+t 2 ) +k2<br />

2 , rk 2 , rk 3 , rk 4 ).<br />

Dec1 IBE (sk ID ′, params, C 2ID ′). Given<br />

a re-encrypted ciphertext C 2ID ′ =<br />

(C 1, ′ C 2, ′ C 3, ′ C 4, ′ C 5, ′ C 6, ′ C 7) ′ and the secret key<br />

sk ID = (d 0 , d 1 , d ′ 0) with params, computes<br />

C<br />

M =<br />

3e(C ′ 5, ′ C 4)<br />

′<br />

e(C 2 ′ , C′ 6 )e(C′ 1 , C′ 7 )e(d′ 0 , C′ 1 )<br />

C<br />

=<br />

3e(rk ′ 2 , C 4)<br />

′<br />

e(C 2 ′ , rk 3)e(C 1 ′ , rk 4)e(d ′ 0 , C′ 1 )<br />

Dec2 IBE (sk ID ′, params, C 1ID ′). Given a<br />

normal ciphertext C ID ′ = (C 1 , C 2 , C 3 ) and the<br />

secret key sk ID ′ = (d 0 , d 1 , d ′ 0) with prams,<br />

compute M = C3e(d1,C2)<br />

e(d . 0,C 1)<br />

We<br />

Remark<br />

computes<br />

pair<br />

+t 2+k<br />

3(αID+t<br />

same<br />

not secure<br />

Security<br />

Theorem<br />

our<br />

IND-sID-CPA<br />

collud<strong>in</strong>g.<br />

Proof:<br />

construct<br />

On<br />

output<br />

= g<br />

<strong>in</strong>teract<strong>in</strong>g<br />

Initialization.<br />

with<br />

<strong>in</strong>tends<br />

Setup.To<br />

rithm<br />

h<br />

params<br />

<strong>in</strong>g<br />

g2 a<br />

Phase<br />

•<br />

•<br />

can verify its correctness as follow<strong>in</strong>g<br />

C 3e(rk ′ 2 , C 4)<br />

′<br />

e(C 2 ′ , rk 3)e(C 1 ′ , rk 4)e(d ′ 0 , C′ 1 )<br />

Me(g 1 , g 2 ) r e(g k3u′ 1 , (g<br />

ID<br />

=<br />

1 h) r( αID′ +t 2 +k 1<br />

k 3 (αID+t 2 ) +k2) )<br />

e((g1 IDh)r<br />

, g u′ 1 k2k3 )e(g r , g k1u′ 1)e(g2 α(gID′<br />

1 h) u′ 1, g r )<br />

= Me(g 1, g 2 ) r e(g k3u′ 1 , (g<br />

ID<br />

1 h) k2r )e(g k3u′ 1 , (g<br />

ID ′<br />

1 h) r<br />

e((g1 IDh)r<br />

, g u′ 1 k2k3 )e(g r , g k1u′ 1)e(g2 α(gID′<br />

= Me(g 1, g 2 ) r<br />

e(g2 α, = M<br />

gr )<br />

2: In our scheme, we must note that the P-<br />

a different (k 1 , k 2 , k 3 ) for every different<br />

(ID, ID ′ ). Otherwise, if the adversary knows<br />

1<br />

2) 2 for five different pairs (ID, ID ′ ) but<br />

k 1 , k 2 , k 3 , α, t 2 , he can compute (α, t 2 ), which<br />

at all.<br />

Analysis<br />

1: Suppose the DBDH assumption holds,<br />

scheme proposed <strong>in</strong> Section III-C is DGA-IBEsecure<br />

for the proxy and the delegatee’s<br />

Suppose A can attack our scheme, we<br />

an algorithm B solves the DBDH problem <strong>in</strong><br />

<strong>in</strong>put (g, g a , g a2 , g b , g c , T ), algorithm B’s goal<br />

1 if T = e(g, g) abc and 0 otherwise. Let<br />

, g 2 = g b , g 3 = g c . Algorithm B works by<br />

with A <strong>in</strong> a selective identity game as follows:<br />

The selective identity game beg<strong>in</strong>s<br />

A first outputt<strong>in</strong>g an identity ID ∗ that it<br />

to attack.<br />

generate the system’s parameters, algo-<br />

B picks α ′ ∈ Z p at random and def<strong>in</strong>es<br />

= g1 −ID∗ g α′ ∈ G. It gives A the parameters<br />

= (g, g 1 , g 2 , h). Note that the correspond-<br />

master − key, which is unknown to B, is<br />

= g ab ∈ G ∗ .<br />

1<br />

“A issues up to private key queries on<br />

ID i ”. B selects randomly r i , r ′ ∗<br />

i ∈ Z p<br />

and k ′ ∈ Z p , sets sk IDi = (d 0 , d 1 , d ′ 0) =<br />

−α ′<br />

ID<br />

(g i −ID ∗<br />

2 (g (IDi−ID∗ )<br />

1 g a ) ri −1<br />

ID<br />

, g i −ID ∗<br />

2 g ri ,<br />

−α ′<br />

ID<br />

g i −ID ∗<br />

2 (g (IDi−ID∗ )<br />

1 g a ) r′ i). We claim sk IDi<br />

is a valid random private key for ID i .<br />

b<br />

To see this, let ˜r i = r i −<br />

ID−ID<br />

and<br />

∗<br />

˜r i ′ = r′ i − b<br />

ID−ID<br />

. Then we have that<br />

∗<br />

−α ′<br />

ID<br />

d 0 = g i −ID ∗<br />

2 (g (IDi−ID∗ )<br />

1 g α′ ) ri =<br />

g2(g a (IDi−ID∗ )<br />

1 g α′ ) ri− b<br />

ID−ID∗<br />

= g2(g a IDi<br />

1 h) ˜ri .<br />

−1<br />

ID<br />

d 1 = g i −ID ∗<br />

2 g ri = g ˜ri .<br />

−α ′<br />

d ′ ID<br />

0 = g i −ID ∗<br />

2 (g (IDi−ID∗ )<br />

1 g α′ ) r′ i<br />

=<br />

g2(g a (IDi−ID∗ )<br />

1 g α′ ) r′ i − b<br />

ID−ID∗<br />

= g2(g a IDi<br />

1 h) ˜r i ′ .<br />

“A issues up to rekey generation queries on<br />

(ID, ID ′ )”.<br />

The challenge B chooses a randomly x ∈ Zp,<br />

∗<br />

2)<br />

KG<br />

3)<br />

αID ′<br />

k<br />

the<br />

is<br />

4)<br />

D.<br />

• The then<br />

1)<br />

G.<br />

is to<br />

g a 1<br />

1)<br />

2)<br />

2)<br />

3)<br />

3)<br />

4)<br />

5)<br />

k 3 )e(g k3u′ 1 , g<br />

k 1 r<br />

1 h) u′ 1, g r )<br />

k 3 )<br />

© 2013 ACADEMY PUBLISHER

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!